Post on 04-Jul-2020
transcript
5/22/2014
1
A non-threatening, non-technical discussion
of information security frameworks, regulations, and
realities
Michael Carr, JD, CISSP, CIPP
Chief Information Security OfficerUniversity of Kentucky
June 2014
InfoSec for Compliance Officers
Disclaimer
The content, discussion, or materials presented are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem or advice. Use of and access to this information or material does not create an attorney-client relationship between Michael Carr and you, the conference attendee. The opinions expressed during this presentation are the opinions of the author and do not reflect the opinions or advice of the SCCE, the University of Kentucky, the Commonwealth of Kentucky or anyone else on planet Earth.
Any rebroadcast, retransmission, or account of this presentation, without the express written consent
of Major League Baseball, er…, I mean, SCCE, is strictly prohibited. This presentation is meant for
educational purposes only. Any resemblance to real persons, living or dead is purely coincidental.
Void where prohibited. Do not use while operating a motor vehicle or heavy equipment. You must be present to win. Subject to change without notice. Disclaimer includes misuse, accident, lightning, flood,
tornado, tsunami, volcanic eruption, earthquake, hurricanes and other Acts of God, neglect, damage from
improper reading, incorrect line voltage, improper or unauthorized reading, broken antenna or marred cabinet,
missing or altered serial numbers, electromagnetic radiation from nuclear blasts, sonic boom vibrations,
customer adjustments that are not covered in this list, and incidents owing to an airplane crash, ship sinking or taking
on water, motor vehicle crashing, dropping the item, falling rocks, leaky roof, broken glass, mud slides, forest fire, or
projectile (which can also include, but not be limited to, arrows, bullets, shot, BB's, shrapnel, lasers, napalm, torpedoes, or emissions of X-rays, Alpha, Beta and Gamma rays, knives, stones, head slaps, nasty tones, mean looks or thoughts, etc.)
5/22/2014
2
Leave no stone unturned…
Feel free to ask any question at any time
Com ���� pli ���� ant /kəmˈplīənt/
1. Yielding, inclined to obey rules, esp. to an
excessive degree; acquiescent.
2. Produced or performed in accordance with a
specified body of rules.
5/22/2014
3
ADA Clery Act Equal Pay Act CALEA
HEOA OSHA Title VII CAN-SPAM
Title IX Export Control Act GLBA COPPA
Title VI E-Verify Campus SaVE Act ECPA
FCRA Copyright Act OSHA Junk Fax Prevention
SOX DMCA ITAR FOIA
Truth in Lending TEACH ACT FERPA HIPAA
Age Discrimination FMLA ERISA HITECH Act
Body of Rules?
Great resource: www.HigherEdCompliance.org
Body of Rules?
What’s missing?ADA Clery Act Equal Pay Act CALEA
HEOA OSHA Title VII CAN-SPAM
Title IX Export Control Act GLBA COPPA
Title VI E-Verify Campus SaVE Act ECPA
FCRA Copyright Act OSHA Junk Fax Prevention
SOX DMCA ITAR FOIA
Truth in Lending TEACH ACT FERPA HIPAA
Age Discrimination FMLA ERISA HITECH Act
InfoSec-related
5/22/2014
4
ADA Clery Act Equal Pay Act CALEA
HEOA OSHA Title VII CAN-SPAM
Title IX Export Control Act GLBA COPPA
Title VI E-Verify Campus SaVE Act ECPA
FCRA Copyright Act OSHA Junk Fax Prevention
SOX DMCA ITAR FOIA
Truth in Lending TEACH ACT FERPA HIPAA
Age Discrimination FMLA ERISA HITECH Act
Body of Rules?
Most specify the what
Not necessarily the how
or the to what extent
Missing: InfoSec Framework
(standards, guidelines and practices)
Agenda
1. Review several InfoSec Frameworks
2. Discuss the “How”s and the “To What Extent”s
3. Discuss “safeguards”, practices, and InfoSec’s
dirty little secrets (really IT’s secrets)
5/22/2014
5
1. Review several InfoSec Frameworks
The CIA Triad
Information Security’s Objective:
To ensure the confidentiality,
integrity and
availability of information
1. Review several InfoSec Frameworks
5/22/2014
6
1. Review several InfoSec Frameworks
Unfortunately, jargon tends to get in the way
1. Review several InfoSec Frameworks
5/22/2014
7
1. Review several InfoSec Frameworks
Aren’t you just talking about regulations that have
information security (and privacy) requirements?� HIPAA, GLBA, PCI, etc.
What’s an information security framework?
1. Review several InfoSec Frameworks
An Information Security Framework
Loosely-defined term for the various & sundry
documents/programs that have been produced
from a variety of sources
—most of which give advice and counsel
regarding information security policies and
practices
i.e., a roadmap
5/22/2014
8
1. Review several InfoSec Frameworks
How about some examples?
a) ISO 27000 – Series of InfoSec standards developed by the
International Organization for Standardization (ISO).
b) FISMA – Series of federal govt InfoSec standards &
practices developed by the National Institute of Standards
& Technology (NIST).
c) COBIT – ISACA-developed IT governance objectives & best
practices.
1. Review several InfoSec Frameworks
Framework Focus Governance Risk Asset Mgmt
ISO 27000
Family
Initiating,
implementing,
maintaining &
improving InfoSec
mgmt in an
organization
§5 – InfoSec policy doc
should be approved by
mgmt, etc.
§4 – Risk
assessments
should be
performed
periodically
§7 - All assets
should be clearly
identified & an
inventory of all
important assets
drawn up &
maintained
FISMA‘14 Cybersecurity
Framework
Identifying, assessing &
managing
cybersecurity risk
§ID.GV –
Organizational
information security
policy is established
§ID.RA – Threats,
vulnerabilities,
likelihoods ad
impacts are used
to determine risk
§ID.AM – Devices,
systems, SW &
apps w/in
organization are
inventoried
COBIT
Linking business goals
to IT goals; ID IT
process owner
responsibilities
Define specific
responsibilities for
mgmt of security
§PO –
Discover,
prioritize & either
contain or accept
relevant IT
security risks
§DS – Ensure
inventory of HW &
SW are complete
& regularly
updated
5/22/2014
9
1. Review several InfoSec Frameworks
Framework Focus Governance Risk Asset Mgmt
ISO 27000
Family
Initiating,
implementing,
maintaining &
improving InfoSec
mgmt in an
organization
§5 – InfoSec policy doc
should be approved by
mgmt, etc.
§4 – Risk
assessments
should be
performed
periodically
§7 - All assets
should be clearly
identified & an
inventory of all
important assets
drawn up &
maintained
FISMA‘14 Cybersecurity
Framework
Identifying, assessing &
managing
cybersecurity risk
§ID.GV –
Organizational
information security
policy is established
§ID.RA – Threats,
vulnerabilities,
likelihoods ad
impacts are used
to determine risk
§ID.AM – Devices,
systems, SW &
apps w/in
organization are
inventoried
COBIT
Linking business goals
to IT goals; ID IT
process owner
responsibilities
Define specific
responsibilities for
mgmt of security
§PO –
Discover,
prioritize & either
contain or accept
relevant IT
security risks
§DS – Ensure
inventory of HW &
SW are complete
& regularly
updated
HITRUST’s Common Security Framework (CSF) is a healthcare-oriented
set of security standards based on ISO, NIST, HIPAA & HITECH
1. Review several InfoSec Frameworks
And just like most roadmaps, each framework will
get you there but you have to decide…
Do I take the highway?
Do I avoid tolls?
What encryption method is best?
5/22/2014
10
2. The “How”s and the “To What Extent”s
For example, ISO 27000 & Data Classification
“Information should be classified in terms of its value, legal
requirements, sensitivity and criticality to the organization.”
“In general, the classification given to information is a
shorthand way of determining how this information is to be
handled and protected.”
Nowhere does it say “restricted”, “sensitive”, “confidential”, etc.
2. The “How”s and the “To What Extent”s
For example, ISO 27000 & Password Mgmt
“Passwords are a very common way to provide identification
& authentication based on a secret that only the user knows.”
“Passwords are one of the principal means of validating a
user’s authority to access a computer service.”
Nowhere does it say “87-character passphrase
that must be changed every other hour”, etc.
5/22/2014
11
2. The “How”s and the “To What Extent”s
Is there an “informing” document?
• Are there specific safeguards stated/required?
• Are all circumstances & contexts stated/required?
���� Take a look at SANS’ “Top 20 Critical Security Controls”
• Explains why each control is critical
• Lists ways to implement the control
• Lists ways to test effectiveness of the control
2. The “How”s and the “To What Extent”s
For example, ISO 27000 states“A policy on the use of cryptographic controls for
protection of information should be developed and
implemented”
SANS’ Critical Security Control 17: Data Protection
“The adoption of data encryption, both in transit and at
rest, provides mitigation against data compromise”
“Deploy approved hard drive encryption software to
mobile devices and systems that hold sensitive data”
5/22/2014
12
2. The “How”s and the “To What Extent”s
Why not adopt “Top 20 Critical Security Controls” ?
� SANS Institute is a training & security certification company
� Privately held (Alan Paller)
� Not an “independent” international standard
� Not mandated by DoD, NIH, HHS, etc.
3. “Safeguards”, practices and InfoSec’s dirty little secrets
5/22/2014
13
3. “Safeguards”, practices and InfoSec’s dirty little secrets
The HIPAA Privacy Rule requires that covered entities
apply appropriate administrative, technical, and
physical safeguards to protect the privacy of
protected health information (PHI), in any form.
45 CFR 164.530(c)
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Technical Safeguards?
HHS: The Security Rule is based on the fundamental concepts
of flexibility, scalability and technology neutrality.
Therefore, no specific requirements for types of technology to
implement are identified.
“Gee thanks for the details”
5/22/2014
14
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Technical Safeguards?
� HHS
� Encryption
� Access Controls
� PCI
� Firewall
� Intrusion Detection System (IDS)
Generally, technical safeguards involve
information security-related hardware and software
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Sometimes, more guidance is given…
Technical Safeguards:
“Implement a mechanism to encrypt and decrypt electronic
protected health information.”
45 CFR 164.132(a)(2)(iv)
“Is an Ovaltine Decoder Ring sufficient?”
5/22/2014
15
3. “Safeguards”, practices and InfoSec’s dirty little secrets
But isn’t standardizing on an encryption algorithm
just a Snipe Hunt?
Researchers crack the world’s toughest encryptionby listening to the tiny sounds made
by your computer’s CPU
www.extremetech.com, 12/18/2013
3. “Safeguards”, practices and InfoSec’s dirty little secrets
But isn’t standardizing on an encryption algorithm
just a Snipe Hunt?
“Isn’t that like shooting at a moving target?”
“or like playing Whack-a-Mole?”
5/22/2014
16
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Administrative Safeguards?
� Policies• high-level statements relating to information protection
� Standards• low-level mandatory controls that help enforce InfoSec policy
� Guidelines• Recommended, non-mandatory controls that help support
standards or serve as a reference
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Administrative Safeguards?
� Policies• high-level statements relating to information protection
Why then are our password requirements called
“The Password Policy”?
5/22/2014
17
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Physical Safeguards?
� Fences
� Locked Cabinets
� Media Destruction
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Practices (and dirty little secrets)
� Most InfoSec Professionals are ethical• CISSP requires commitment to (ISC)2 Code of Ethics
� Most SysAdmins are not certified• (and, as such, do not necessarily commit to a Code of Ethics)
� Many treat Compliance like External Audit �
• (and only answer the questions that are asked)
5/22/2014
18
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Practices (and dirty little secrets)
� So, you have to learn how to ask the right questions…
• “Does this system have any backdoors?”
• “Give me a list of accounts with non-expiring passwords.”
• “Give me a list of accounts that do not require a password.”
• “What systems are exempt or have been given a waiver from our
password policy.”
• Give me a list of accounts that do not require a password.”
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Practices (and dirty little secrets)
� So, you have to learn how to ask the right questions…
• “Does this system have any backdoors?”
• “Give me a list of accounts with passwords that do not comply with our
password policy.”
• “Give me a list of accounts on this system that have elevated privileges.”
• “Give me a list of accounts on this system that can have their privileges
elevated by an account on any other system.”
5/22/2014
19
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Practices (and dirty little secrets)
� So, you have to learn how to ask the right questions…
• “Does this system comply with our email retention policy?”
• “Do we allow any users to print email?”
• “Is the PrintScreen function enabled on any systems?”
• “Do we allow any users to use their personal webmail, Gmail, Yahoo Mail
or any other non-University email system?”
• “To where are email archives stored?”
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Practices (and dirty little secrets)
� So, you have to learn how to ask the right questions…
• “Does this system comply with our patch policy?”
• “Print out a system report or Error Log showing the currently installed
patch level on every server.”
• “Print out a Change Management log documenting when every server’s
latest patches have been applied.”
• “Are there any systems exempt or that have been given a waiver from
our patch policy?”
5/22/2014
20
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Practices (and dirty little secrets)
� So, you have to learn how to ask the right questions…
• “Is access by SysAdmins to production data tracked?”
• “What accounts have higher privileges on non-production systems than
they have on production systems?”
• “Are there any production data whatsoever stored on any non-
production systems (“systems” includes servers, laptops, desktops,
phones or any device on which data can be stored)?”
3. “Safeguards”, practices and InfoSec’s dirty little secrets
Practices (and dirty little secrets)
� Most SysAdmins have more than one account.
� Most test, development and QA systems are filled with
production data.
� Many accounts have more access on test, development and QA
systems than they do on production systems.
� Most SysAdmins hate coming into the office to work on
incidents.
� Most SysAdmins have multiple computers at home that are used
to address incidents.
5/22/2014
21
Wrap-up
1. Review several InfoSec Frameworks
2. Discuss the “How”s and the “To What Extent”s
3. Discuss “safeguards”, practices, and IT’s dirty little
secrets
Wrap-up
� Having a Framework is more important than
which Framework.
� The devil is in the details.
� Most SysAdmins are not business-oriented, want
to be left alone to do their jobs and think that
compliance and audit add little value.
5/22/2014
22
Wrap-up
� And most SysAdmins hate having to explain
jargon or the details of how systems work.
... and they have jackets
Questions?
Michael Carr, JD, CISSP, CIPP
Chief Information Security OfficerUniversity of Kentucky
June 2014
InfoSec for Compliance Officers
5/22/2014
23
Thank you
Michael Carr, JD, CISSP, CIPP
Michael.Carr@uky.edu
June 2014